11 Systems

First published in 2012 by the Safety Institute of Australia Ltd, Tullamarine, Victoria, Australia.

Bibliography.

ISBN 978-0-9808743-1-0

This work is copyright and has been published by the Safety Institute of Australia Ltd (SIA) under the auspices of HaSPA (Health and Safety Professionals Alliance). Except as may be expressly provided by law and subject to the conditions prescribed in the Copyright Act 1968 (Commonwealth of Australia), or as expressly permitted below, no part of the work may in any form or by any means (electronic, mechanical, microcopying, digital scanning, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission of the SIA.

You are free to reproduce the material for reasonable personal, or in-house, non-commercial use for the purposes of workplace health and safety as long as you attribute the work using the citation guidelines below and do not charge fees directly or indirectly for use of the material. You must not change any part of the work or remove any part of this copyright notice, licence terms and disclaimer below.

A further licence will be required and may be granted by the SIA for use of the materials if you wish to:

reproduce multiple copies of the work or any part of it

charge others directly or indirectly for access to the materials

include all or part of the materials in advertising of a product or services, or in a product for sale

modify the materials in any form, or

publish the materials.

Enquiries regarding the licence or further use of the works are welcome and should be addressed to:

This material is supplied on the terms and understanding that HaSPA, the Safety Institute of Australia Ltd and their respective employees, officers and agents, the editor, or chapter authors and peer reviewers shall not be responsible or liable for any loss, damage, personal injury or death suffered by any person, howsoever caused and whether or not due to negligence, arising from the use of or reliance of any information, data or advice provided or referred to in this publication. Before relying on the material, users should carefully make their own assessment as to its accuracy, currency, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances.

A defined body of knowledge is required as a basis for professional certification and for accreditation of education programs giving entry to a profession. The lack of such a body of knowledge for OHS professionals was identified in reviews of OHS legislation and OHS education in Australia. After a 2009 scoping study, WorkSafe Victoria provided funding to support a national project to develop and implement a core body of knowledge for generalist OHS professionals in Australia.

Development

The process of developing and structuring the main content of this document was managed by a Technical Panel with representation from Victorian universities that teach OHS and from the Safety Institute of Australia, which is the main professional body for generalist OHS professionals in Australia. The Panel developed an initial conceptual framework which was then amended in accord with feedback received from OHS tertiary-level educators throughout Australia and the wider OHS profession. Specialist authors were invited to contribute chapters, which were then subjected to peer review and editing. It is anticipated that the resultant OHS Body of Knowledge will in future be regularly amended and updated as people use it and as the evidence base expands.

Conceptual structure

The OHS Body of Knowledge takes a ?conceptual? approach. As concepts are abstract, the OHS professional needs to organise the concepts into a framework in order to solve a problem. The overall framework used to structure the OHS Body of Knowledge is that:

Work impacts on the safety and health of humans who work in organisations. Organisations are influenced by the socio-political context. Organisations may be considered a system which may contain hazards which must be under control to minimise risk. This can be achieved by understanding models causation for safety and for health which will result in improvement in the safety and health of people at work. The OHS professional applies professional practice to influence the organisation to being about this improvement.

This can be represented as:

Audience

The OHS Body of Knowledge provides a basis for accreditation of OHS professional education programs and certification of individual OHS professionals. It provides guidance for OHS educators in course development, and for OHS professionals and professional bodies in developing continuing professional development activities. Also, OHS regulators, employers and recruiters may find it useful for benchmarking OHS professional practice.

Application

Importantly, the OHS Body of Knowledge is neither a textbook nor a curriculum; rather it describes the key concepts, core theories and related evidence that should be shared by Australian generalist OHS professionals. This knowledge will be gained through a combination of education and experience.

Accessing and using the OHS Body of Knowledge for generalist OHS professionals

The OHS Body of Knowledge is published electronically. Each chapter can be downloaded separately. However users are advised to read the Introduction, which provides background to the information in individual chapters. They should also note the copyright requirements and the disclaimer before using or acting on the information.

Core Body of Knowledge for the Generalist OHS Professional

Systems

Abstract

?System? is a commonly used term in Occupational Health and Safety (OHS) as in, for example, systems of work, OHS management systems and system safety. Systems thinking and system methodologies have a rich history outside the OHS sphere. Examination of the use of ?system? terminology within OHS indicates that it frequently refers to a ?systematic? approach, or a series of logically ordered steps, rather than what has developed as ?systems thinking.? Although a systematic approach is useful, OHS management could benefit from the application of systems thinking and from a viable system approach, which treats organisations as whole entities with interconnected elements, and recognises that a system cannot be entirely understood by examining the parts is isolation. This chapter reviews the development of systems thinking and its historical and present day application to OHS. In presenting the implications for OHS practice it concludes that the optimal OHS outcome can be achieved through an understanding of a system and the application of different systems methodologies at different stages in the OHS risk management process.

Accessing and using the OHS Body of Knowledge for generalist OHS professionals7

1 Introduction 1

2 Historical perspective 1

3 Understanding ?systems? 4

3.1 System and systematic 4

3.2 Systems of work 6

3.3 OHS management systems 8

3.4 Systems thinking in an OHSMS context 10

3.5 System safety 13

3.6 System variability 16

4 Implications for OHS practice 19

5 Summary 20

Key authors and thinkers 21

References 21

1 Introduction

?System? is a widely used word, with applications in most fields of endeavour. Indeed, it has been argued that the term is so widely used that it has become meaningless (e.g. Flood & Jackson, 1991). Within Occupational Health and Safety (OHS), there is application of various systems concepts, including ?system safety,? ?sociotechnical system,? ?human-machine system? and ?systems thinking,? as well as the domain-specific ?safe system of work? and ?OHS management system.? It is vital that OHS professionals and those they work with have a clear and shared understanding of such concepts as they apply to OHS. After a brief examination of the historical development of systems thinking and the concept of a sociotechnical system, this chapter distinguishes between ?system? and ?systematic? as a basis for understanding systems of work and OHS management systems. This is followed by a discussion of systems thinking in the context of OHS management systems, system safety and system variability. It concludes with some implications for OHS professional practice and a final summary.

2 Historical perspective

Systems thinking as a school of thought originated in the late 1920s when biologists began to realise that while the standard scientific method of studying the component parts of living organisms yields important information, the critical characteristic is their level of organisation as a whole. In the late 1940s, Austrian biologist Ludwig von Bertalanffy, who is generally credited with founding the systems thinking movement, argued ?that these ideas about organisms could be extended to complex wholes of any kind: to ?systems?? (Checkland, 1999, p. 48). During the 1950s, psychologists (most notably Eric Trist and Fred Emery) at London?s Tavistock Institute of Human Relations developed the concept of a sociotechnical system, which focused on the role of workers? relationships with each other and with the technical systems used in their work (Emery, 1959; Trist, 1981). Most famously, Tavistock Institute research projects were conducted in the British coal mining industry, which despite increasing mechanisation was experiencing low productivity, along with relatively high incidences of labour disputes and absenteeism (Trist, 1981). At the time, the prevailing approach to management was one of increasing bureaucracy within organisations, fuelled by Weber?s ?ideal bureaucracy? and Taylor?s scientific approach of breaking complex tasks into sequences of simple tasks with each group of labour doing ?the work for which it was best suited.?1In a South Yorkshire coalfield, the Tavistock researchers identified a ?new paradigm of work? that represented an alternative to the Weber/Taylor organisational model in that it melded previously separate approaches to the social and technical organisational systems by adhering to the following principles:

The work system, which comprised a set of activities that made up a functioning whole, now became the basic unit rather than single jobs into which it was decomposable.

Correspondingly, the work group became central rather than the individual job holder.

Internal regulation of the system by the group was thus rendered possible rather than the external regulation of individuals by supervisors.

A design principle based on the redundancy of functions rather than the redundancy of parts (Emery, 1967) characterized the underlying organizational philosophy which tended to develop multiple skills in the individual and immensely increase the response repertoire of the group.

This principle of multiple skills valued the discretionary rather than the prescribed part of work roles (Jacques, 1956).

The individual is complementary to the machine rather than an extension of it (Jordan, 1963).

This new way of working is variety-increasing for both the individual and the organisation rather than variety decreasing as in the bureaucratic mode. (Trist, 1981, p. 9)

The Tavistock researchers found that sociotechnical systems analysis was necessary at three interrelated levels ? the primary work system (e.g. a department or service unit), the whole organisation system (e.g. a plant or an entire corporation) and the macrosocial system (e.g. an industrial sector or the media) (Trist, 1981).

Sociotechnical systems theory and principles held significant relevance for OHS. They provided the foundation for human-machine systems and system safety conceptual models. Human-machine systems frameworks were developed by ergonomists and related professionals (human factors engineers, engineering psychologists, cognitive systems engineers) as a basis for improved design, problem diagnosis and management of systems in which humans are key elements (Sheridan, 1974; Singleton, 1967a, 1967b; Wilson, 2005). A holistic, human-centred systems approach is intrinsic to contemporary ergonomics practice. As defined by the International Ergonomics Association (IEA, 2000):

Ergonomics (or human factors) is the scientific discipline concerned with the understanding of the interactions among humans and other elements of a system, and the profession that applies theoretical principles, data and methods to design in order to optimize human well being and overall system performance.

System Safety as a concept arose among scientists supporting defence force operations during the 1940s and 50s (e.g. Miller, 1954). At the same time in the public health domain, Gordon (1949) identified the importance of interactions within a system comprising the ?host?, an ?agent? and the environment, and in subsequent decades Haddon and colleagues further developed these and related concepts into the ?Haddon matrix? (Haddon, Suchman & Klein, 1964; Runyan, 1998), which influenced approaches to risk control in both health and safety contexts. Conceptual frameworks such as these took some account of interactions between system components, but were mainly used to identify the need for design changes in particular system elements such as equipment (e.g. Murrell, 1965) or procedures and rules for system operations (e.g. McGill, 1966, 1968).

System safety conceptual models gained momentum in the 1960s in the US, initially ?in response to the ?fly-fix-fly? approach to aircraft systems design? (SSS, 2002) and as a result of the 1969 publication of MIL-STD-882: System Safety Program for Systems and Associated Subsystems and Equipment by the US Department of Defense (Ericson, 2006).

During the last decades of the twentieth century, progress towards focusing on the system as a whole rather than its individual elements was stimulated by the rapidly accelerating rate of technological development and related problems, particularly those associated with large-scale chemical processing, power generation and major aerospace programs. Investigations into the causes of major disasters associated with these industries (e.g. the Three-Mile Island Nuclear Power Plant accident in 1979), were important in demonstrating the need for system-level analysis, since in each case there were found to be failures in a diverse range of system elements which interacted to create the disaster.

?Hard? and ?soft? systems methodologies evolved as ways to apply systems thinking. Hard systems methodologies (HSM) ?offered managers and management scientists a means of seeking to optimize the performance of a system in pursuit of clearly identified goals? (Jackson, 2003, p. 16). They involved application of a set of techniques and procedures to well-defined problems to ?engineer? the system to achieve an outcome, and included Operational Research, Systems Analysis and Systems Engineering methodologies that were developed during or in the aftermath of World War II. By the 1970s, however, it was generally acknowledged among applied systems thinkers that HSMs were of limited use for more complex problem situations, where there were vast numbers of relevant variables and interactions (Jackson, 2003, p. 21). Consequently, ?soft systems thinkers abandoned the notion that it was possible to assume easily identifiable, agreed-on goals that could be used to provide an objective account of the system and its purposes? (Jackson, 2003, p. 22). Arguably the most influential approach of this kind was Checkland?s (1981) ?soft systems methodology? (SSM), which allowed for alternative perspectives to be explored systemically. Khisty (1995, p. 91) referred to SSM as ?an inquiring system used for tackling ill-structured, messy problem situations in engineering and planning? and noted that, in practice, there was a tendency for HSM and SSM to be both complementary and supplementary.

The application of quality management system concepts (see, for example, Juran, 1995) to OHS in the early 1990s in the form of OHS management systems (OHSMSs) was spurred by several factors, including:

However, by the late 1990s the reduction in fatalities and injuries achieved, at least in part, with the implementation of OHSMSs had plateaued and it became clear that the mechanical application of OHSMSs was not going to achieve the desired level of safety performance (Hopkins, 2000; Hudson, 2007). Considerable OHSMS-related discussion along with the publication of a Standards Australia guidance document and its subsequent revisions culminated in a ?pair of linked and complementary Standards?for organizations wishing to implement, develop, improve, or in some cases audit an OHSMS:?

AS/NZS 4804:2001, Occupational health and safety management systems?General guidelines on principles, systems and supporting techniques is the primary Standard relevant to all organizations and provides general guidance on how to implement, develop and/or improve an OHSMS. This Standard, AS/NZS 4801, Occupational health and safety management systems ? Specification with guidance for use, establishes an audit framework principally for use by third party bodies that have been asked by an organization to conduct an independent audit of the organization?s OHSMS. The framework can also be used as a reference point for internal auditing procedures. It is envisaged that not all users of the primary Standard, AS/NZS 4804, will need to use AS/NZS 4801? (SA/SNZ, 2001a, p.iv)

(SA/NZS, 2001a, p. iii)(SA/NZS, 2001a, p. iii)(SA/NZS, 2001a, p. iii)

3 Understanding ?systems?

3.1 System and systematic

Waring and Glendon (1998, p. 50) defined a system as ?a recognizable whole which consists of a number of components or elements which are interconnected in an organized way? and itemised the following system characteristics:

Components are perceived to be interrelated in hierarchical structures.

Addition or removal of a component changes the system and its characteristics.

A component is affected by its inclusion in the system.

Means for control and communication which promote system survival are identifiable.

The system has a boundary.

A ?system environment? which affects the system exists outside the system boundary.

Someone ?owns?or has an overriding interest in the system for the purposes of understanding and/or improving aspects of the real world.

System elements may be tangible (e.g. a safety committee, a document) or intangible (e.g. processes, information flows, relationships, interpersonal interactions, values and beliefs). Systems have inputs, outputs, a boundary, and feedback loops that operate like a thermostat, making the system responsive to the environment in which it exists (Meadows, 2008) (Figure 1). As noted by Meadows (2008, p. 2), the elements of a system are ?interconnected in such a way that they produce their own pattern of behavior over time.?

Taking the viewpoint of a system as a biological entity that adapts to survive, Checkland (1999) identified system characteristics as (1) emergent properties, (2) a layered structure, (3) a process of communication and (4) a process of control:

This notion of ?the adaptive whole? is the central image in systems thinking?[I]t must have so-called emergent properties. These are properties which make the whole entity ?more than the sum of its parts??The parts of a bicycle, in a sack, are simply an aggregate. When assembled in the particular structure we call a ?bicycle,? that entity has vehicular potential, which is an emergent property of the whole?[W]holes having emergent properties may well have smaller wholes with their own emergent properties [i.e.] layered structure?[I]f our entity is to survive in environments which change, it must have available to it ways of finding out about its environments and ways of responding internally to them; it must have processes of communication and control. (Checkland, 1999)

Systematic refers to a set of logically ordered steps that may be part of a system (Waring, 1996). The following discussion on systems of work and OHS management systems indicates that what is often referred to as a ?system? in the OHS context is more appropriately conceived as a systematic approach rather than a systems or systems-thinking approach.

3.2 Systems of work

The phrase ?systems of work? (and particularly ?safe systems of work?) has its origins in the 1972 Robens? Report in the United Kingdom (Robens, 1972) and the subsequent Health and Safety at Work Act 1974 (UK). Under this Act, one of the general duties of the employer is to provide and maintain healthy and safe plant and systems of work. Australia, in implementing Robens-style legislation, enshrined this duty within OHS Acts in the various Australian jurisdictions and the ?provision and maintenance of safe systems of work? is a primary duty under the national Model Work Health and Safety Act (Safe Work Australia, 2011a) (WHSA s 19.3c).

Courts often cite the failure to provide and maintain a safe system of work when prosecuting employers in cases of work-related injuries and fatalities. What constitutes, or should have constituted, a safe system of work is often clearer with hindsight. For managers, what is required to provide a safe system of work may be ambiguous. For example, it may not be clear whether a safe system of work refers to safe work method statements, job safety analyses, confined space entry permits and lock-out/tag-out procedures, or matters to do with the broader organisational arrangements for managing OHS, or all of these things? The Australian Standard providing guidance on OHS management systems states that ?documented procedures and work instructions are commonly known as safe systems of work or standard operating procedures? (SA/SNZ, 2001b, p. 31). The indication here is that safe systems of work are akin to safety rules or a form of administrative control within the hierarchy of controls, and apply to individual workers performing specific tasks.

Drawing on legal case history Sherriff (2011) takes a somewhat broader interpretation in defining a system of work as ?a planned and co-ordinated assemblage of procedures and/or arrangements which provides the method by which work is undertaken?. South Australian WorkCover Corporation takes a similar broad approach in their explanation:

Safe systems of work are the total set of methods adopted for carrying out the operations required in a particular workplace. They cover all aspects of the employment situation including:

the organisation of work processes

the methods of using machinery, plant and equipment

the methods of hiring labour

job training, instruction and supervision about associated hazards and their management

what to do when things go wrong (SafeWork SA, 2003).

Another interpretation of systems of work is that reportedly held by engineers which is that systems of work includes hardware, and people involved with the hardware whose actions are guided/controlled by rule sets (procedures) for efficient and safe (harm free) operation.

This identification of different elements of the ?system of work? reflects the sociotechnical and ergonomics system models, which emphasise the importance of interactions between system elements ranging from micro to macro levels. However, in the absence of widespread understanding of such concepts and models, statements about what constitutes a safe system of work have the potential to mean different things to different workplace parties.

Also, legal interpretation aside, the word ?system? as applied to safe systems of work probably reflects a systematic or functional approach to controlling risk (Waring, 1996) that may be applied by individual workers or those accountable for managing risk, and documented in an OHS management system.

3.3 OHS management systems

Waring (1996) described an OHS management system (OHSMS) as:

A structured systematic means for ensuring that both general and particular aspects of what the organization does are effectively managed to meet high standards of safety and health.

As defined in AS/NZS 4801:2001 Occupational Health and Safety Management Systems ? Specifications with Guidance for Use, an OHSMS is:

That part of the overall management system which includes organisational structure, planning activities, responsibilities, practices, procedures, processes and resources for developing, implementing, achieving, reviewing and maintaining the OHS policy, and so managing the OHS risks associated with the business of the organisation (SA/SNZ, 2001a, p. 4).

These definitions are compatible in that both focus on the purpose of the system (i.e. to effectively manage OHS risks within organisations) and refer to systematic approaches to risk control (Borys, 2001).

Organisational commitmentand policy ? refers to senior management?s commitment to the goals of the system; this commitment is manifest in the policy, which formally describes the goals of the organisation with respect to OHS, and is continually reiterated by the things that management pay attention to and measure. The rest of the management system is developed as a means to achieve the goals set out in the policy.

Planning ? describes how the organisation intends to achieve the goals described in the policy. The process includes gathering information about the outer and inner contexts and defining the system boundary. It involves allocation of human and financial resources and describes how the organisation will judge its performance.

Implementation ? describes the systematic approach that the organisation takes to managing its risks, particularly with respect to the operations of the organisation. Each risk encountered by the organisation must be controlled as part of the system implementation.

Measurement and evaluation ? describes the feedback loops that the organisation uses to determine if it has achieved its goals. This part of an OHSMS describes what gets recorded and reported and how performance is reported back to senior management. It provides the data for the governance review.

Review and improvement ? closes the loop on whether the management system met the requirements of the policy. This is an important component of corporate governance.

In addition, OHSMSs need to be responsive to the environment. As indicated in section 3.1, the system boundary determines what is inside and outside the system (i.e. its inner and outer environments, or contexts) (Waring, 1996; Waring & Glendon, 1998) (Table 1). An in-depth knowledge of the inner and outer contextual factors is necessary before an OHSMS can be designed to suit a particular organisation.

Table 1: Outer and inner contexts that influence an organisational system (Waring, 1996)

Outer Context

Inner Context

Legislation

Business policy and goals

Public policy

Organisational structure

Economy

Decision-making processes

National standards

Technology adopted

Technology

Information flows

Trade union policy

Resource necessity and allocation

Social culture

Organisational history

Community concerns

Power relations

Risk perceptions

Risk perception

Community history

Organisational and safety culture

Furthermore, when changes occur in the outer or inner contexts (e.g. new legislation, changes in community attitude or the introduction of new hazards to the workplace), a process must be in place to detect these changes and to determine the impact on policy and on implementation of the management system.

The limitations of OHSMSs have been noted by many (Hopkins, 2000, 2007; Reason, 2000). Certainly, an OHSMS is not a panacea for OHS issues, and the written documents do not guarantee legal compliance or a healthy and safe workplace. However, an OHSMS does provide a method for collecting and keeping up to date the organisation?s espoused methods for providing safe and healthy systems of work. It provides written material that facilitates training, encourages communication and makes it possible to determine if the organisation is following its own processes.

While there is no legislated requirement for OHSMSs in Australia, the national Model Work Health and Safety Act (Safe Work Australia, 2011a) requires persons conducting a business or undertaking (PCBUs) to ?ensure, so far as is reasonably practicable, the health and safety of workers? (WHSA s 19.1).

To identify what is or was reasonably practicable all of the relevant matters must be taken into account and weighed up and a balance achieved that will provide the highest level of protection that is both possible and reasonable in the circumstances (Safe Work Australia, 2011b, p. 2).

The documentation, implementation and monitoring of an OHSMS can demonstrate that ?all of the relevant matters [were] taken into account and weighed up and a balance achieved.? Also, the OHSMS reporting, auditing and review processes provide a formal method for meeting the WHSA requirement for PCBUs and ?officers? to exercise ?due diligence? (WHSA s 27). Unfortunately, while the absence of a documented OHSMS would severely hamper due diligence and corporate governance, its presence does not guarantee a safe and healthy workplace. The documentation is a system component, not the system itself.

3.4 Systems thinking in an OHSMS context

As indicated in section 2, systems thinking, or treating organisms as whole entities, emerged in the 1940s in response to the limitations of mechanistic or reductionist thinking (Flood & Jackson, 1991). Systems thinking can assist in preventing the documented OHSMS from becoming misaligned with the way work is actually done. As a result of the interaction of system elements, a system produces its ?own pattern of behavior over time? (Meadows, 2008). As, for example, motion emerges from the interaction of elements of a vehicle, healthy and safe workplaces emerge from the interaction of elements of the organisation?s systems (i.e. from the way that technology, equipment, processes, management commitment, culture and people interact to perform the functions of the organisation). While examining each element is useful and informative, it provides limited information about the overall functioning of the system.

Developed by Stafford Beer in the 1970s, the management cybernetics Viable Systems Model (VSM) offers some insight into how to structure an OHSMS (Tepe & Haslett, 2002). A viable system is one that will achieve its ends, respond to its environment and continue into the future; its elements are bound together by information flow (Grantham & Carr, 2002; Tepe & Haslett, 2002). Stephens and Haslett (2011) applied Beer?s VSM principles to construction of the PICCO strategic management framework:

Policy (P), which describes what the organisation intends to do and achieve. While this is similar to the policy described in AS/NZS 4801 (SA/NZS, 2001a), a viable system policy must be specific to the organisation and clear about what is to be achieved. This policy may be documented, spoken or tacitly understood. Management commitment is manifest in the policy and the way management communicates it.

Intelligence (I) and responsiveness to the environment, which refers to knowing what is happening in the environment that will affect the ability of the organisation to achieve its policy, and determining how the policy may need to change in response. This could be related to legislative changes, community concerns, changes in technology, changes in corporate commitments or even changes in the weather, depending on what is trying to be achieved with the system.

Control (C), which refers to the resources (human, technology and financial) needed to achieve the policy; this is often called the resource bargain. Control is also about how the organisation will judge the performance of the system. With respect to an OHSMS, this is about budgets for safety, as well as access to people and how they spend their time.

Coordination (C), which concerns the things that need to be coordinated across all aspects of the organisation, such as training, scheduling, approaches to procedures and documentation. The documentation of an OHSMS should be part of a coordinated approach shared across all the operational groups of an organisation. The specific approach to each hazard should be adjusted for each operational group.

Operations (O), which is what the organisation does (e.g. manufactures things, provides services). Operations must make the policy happen and report back to the policy makers about how resources have been used to implement the policy.

A sixth element ? Evaluation (E) ? can be added to the PICCO framework:

Evaluation (E), which involves assessing whether the operations achieved the policy outcomes. This monitoring closes the loop on the governance cycle as the organisation determines if it achieved its policy in practice.

While these elements are consistent with the OHSMS principles identified in AS/NZS 4801 (i.e. organisational commitment and policy, planning, implementation, measurement and evaluation, review and improvement) (SA/SNZ, 2001a), the viable system takes a broader view of what environmental information must be monitored and shared within the organisation, and puts less emphasis on system documentation. Also, Beer?s VSM includes the following aspects that are not particularly well addressed in most OHSMSs:

Algedonic signal (AS): A viable system must have a way of knowing when the policy is not working. The AS is the feedback process within the system that indicates that the system is performing outside the expected performance criteria. It is certainly an emergency signal, but can also signal when things are going exceptionally well. When the AS is activated all policy concerning what should be done, how it is controlled and coordinated, operationalised and evaluated is changed to reflect the needs of the emergency.

Requisite variety: Ashby?s (1956, p. 207) law of requisite variety states that ?only variety can destroy variety.? To control a complex system, therefore, the same degree of variety that is present in the system must be able to be commanded and/or the degree of variety in the system must be reduced. This requisite variety of controls complements and extends the OHS concept of the hierarchy of controls; while one should control a hazard with the highest level from the hierarchy, there must be the requisite variety of controls to control other possible states (e.g. while an engineering control may be appropriate, complete control will also require training, maintenance, procedures, personal protective equipment and mitigating controls).

Recursive structure: ?a viable system always contains and is contained in another viable system? (Stephens & Haslett, 2011, p. 431). Each organisational unit able to make decisions in response to its environment must be a viable system. This implies that a viable OHSMS must have all the elements of an OHSMS at each level of hierarchy within the organisation, from its smallest autonomous workgroup (its smallest viable system) to its international corporate centre. The higher levels of the organisation become part of the ?environment? in which the lower levels work.

A viable system approach focuses on ensuring that the purpose of the system and each of the subsystems is known, that appropriate information is shared and consultation occurs; that management commitment is widely communicated, that each operational unit has the elements of the viable system (PICCOE) and recognises how to control the risks to their own operations, and that appropriate measures of performance2are continually monitored to evaluate the state of the system.

A viable system approach is particularly relevant for complex organisations with many different activities. Because it focuses on providing and receiving information, it has a strong human aspect and its function is closely linked with organisational culture.

3.5 System safety

?Safety? as interpreted in this OHS Body of Knowledge is about the prevention and minimisation of work-related fatality and injury (with the implication that the ?H? in OHS is about prevention and minimisation of disease and ill-health). System safety has a different focus in that it is about the safety of the ?system? to ensure operational outcomes which would usually include the safety of people.

?System safety? has been defined as:

The application of engineering and management principles, criteria, and techniques to optimize all aspects of safety within the constraints of operational effectiveness, time, and cost throughout all phases of the system life cycle (USAF, 2000, p. vii).

The US Department of Defence (DoD) and their contractors are among the most established users of the system safety approach. MIL-STD-882D: Standard Practice For System Safety (DoD, 2000, p. ii) addresses the ?management of environmental, safety, and health mishap risks encountered in the development, test, production, use, and disposal of DoD systems, subsystems, equipment, and facilities.? This safety system approach also is widely used by major companies and public utilities with key industries being aerospace, automotive, aviation biomedical, business and finance, chemical, computers and software development, energy generation and distribution, as well as the military (SSS, 2002).

The objectives of a System Safety Program as defined by the US Air Force Safety Centre are to ensure that:

a. Safety, consistent with mission requirements is designed into the system in a timely, cost-effective manner.

b. Hazards are identified, evaluated, and eliminated, or the associated risk reduced to a level acceptable to the managing activity (MA) throughout the entire life cycle of a system.

c. Historical safety data, including lessons learned from other systems, are considered and used.

d. Minimum risk is sought in accepting and using new designs, materials, and production and test techniques.

e. Actions taken to eliminate hazards or reduce risk to a level acceptable to the MA are documented.

f. Retrofit actions are minimized.

g. Changes in design, configuration, or mission requirements are accomplished in a manner that maintains a risk level acceptable to the MA.

h. Consideration is given to safety, ease of disposal, and demilitarization of any hazardous materials associated with the system.

i. Significant safety data are documented as ?lessons learned? and are submitted to data banks, design handbooks, or specifications.

j. Hazards identified after production are minimized consistent with program restraints. (USAF, 2000, p. 27)

The International System Safety Society (New England Chapter) presented the following list of potentially overlapping tasks in a System Safety Program:

A primary manifestation of such a program is the System Safety Program Plan (SSPP), which is a detailed description of the planned tasks and activities expected when implementing a System Safety Program (SSS, 2002). The following is a description of the SSPP and its phase-oriented approach as documented by the International System Safety Society:

The SSPP includes organizational responsibilities, resources, methods of accomplishment, milestones, depth of effort and points of integration with other programs, engineering and management activities, and related systems. In its initial stages, it provides a basis of understanding for both the contractor and the [client], describing how the system safety program will be accomplished?

The purpose of the SSPP is to establish direction, and control monitoring and validation for the system under analysis. It defines the participants of the safety program and their responsibilities, which minimally include:

Defining safety requirements

Detailing safety analysis techniques

Outlining hazard and assessment criteria.

An SSPP also describes safety analysis and testing methods. All personnel and equipment hazards that could possibly be encountered need to be identified. It will provide solutions for either elimination of the hazard, or mitigation to an acceptable level, with consideration given to time and cost parameters. The goal of the SSPP is to ensure that safety is an integral part of the system design. The plan details the System Safety Program?s organization, implementation procedures and compliance to standards, as well as its compliance to other system safety plans.

Safety issues need to be continuously identified, documented, tracked and resolved. This process of hazard analysis must persist throughout the life cycle of the plan. The SSPP dictates what type of closed-loop system (generally a database) to use to obtain information that will eliminate, or mitigate to an acceptable level, all identified hazards. This system will contain the hazards from your preliminary hazard list, the initial hazard risk index (HRI), the mitigation recommendation, the target HRI and the final HRI after mitigation. (SSS, 2002, pp. 12?13)

The Subsystem Safety Hazard Analysis (SSHA) component of the System Safety Program includes determination of:

Possible modes of failure that include reasonable human error, as well as single point and common mode failures, and the effects on safety when a failure occurs in subsystem components

Potential contributions of hardware and software events (including those developed by other contractors/sources), faults and occurrences (e.g. improper timing) on the safety of the subsystem

Satisfactory fulfillment of safety design criteria in the hardware, software and facilities specifications

Hardware, software and facilities design requirements and corrective actions, such that they do not impair or decrease the safety of the subsystem, or introduce any new hazards or risks

Detailed safety design requirements from top-level down through the design specifications for the subsystem (the Preliminary Hazard Analysis and Safety Requirements Criteria Analysis should also be included in the analysis to ensure that these requirements are met)

Safety test plan and procedure recommendations to integrate into the hardware and software test programs

Analysis of system-level hazards attributed to the subsystem, and the inclusion of adequate controls of the potential hazard in the design. (SSS, 2002, p. 16)

While the terminology concerning systems safety and SSPP would be familiar to American engineers, it can be readily translated into the more familiar hazard identification, risk assessment, and risk control consistent with Australian usage. The SSPP, if taken at the facility or plant level would be consistent with the development of a Safety Case as required as required by Work, Health and Safety legislation on major hazard facilities.

3.6 System variability

Despite the rigorous assessment of hazards and risks associated with many complex technological activities and their incorporation into OHSMSs, accidents still occur. The increasingly complex nature of sociotechnical systems led to Perrow?s 1984 suggestion ?that accidents should be considered natural occurrences rather than abnormal and unusual phenomena? (Hollnagel, 2004, p. 140). Hollnagel (2004, p. 141) described Perrow?s assessment of the growing complexity of systems:

Complex systems consist of multiple parts that depend on each other, and there is only a limited possibility of delaying processes or in carrying out actions.

Actions must generally follow in invariant sequence and there is often only one method to achieve a goal.

There is limited possibility of slack or of substituting supplies, resources or personnel.

Buffers and redundancies exist only as they have been designed into the system, and cannot be adjusted to fit unforeseen demands.

?Tight couplings? (i.e. restricted time to respond to process events) combined with process intractability (i.e. the ability of operational management to understand what is happening at any point in time) of system components result in systems that are increasingly difficult to operate and manage (Perrow as cited in Hollnagel, 2004), and do not deal well with variability, which Hollnagel (2004, p. 141) maintained is a ?necessary condition for the proper functioning of systems.? Conversely, ?loosely coupled? systems have sufficient slack to absorb variability of inputs and demands, and more readily accommodate human interaction. Variability may arise when people who operate systems have to make compromises to meet process demands in ways that are not anticipated and often not understood by the designers of the system. Human performance is inherently variable and approximate; it is this variability that is responsible for successful operation of workplaces as well as accidents. Thus accidents (and hazards) are emergent properties of the normal variability of complex sociotechnical systems (Hollnagel, 2004).

Performance variability is not the same as human error: ?On the contrary, [it] is a necessary condition for the proper functioning of systems of even moderate complexity? (Hollnagel, 2004, p. 141). Variability is deliberate and purposeful and comes from the need to be adaptive in a constructive manner. The system demands variability because it is changing over time and, given the many subsystems, most likely on several time scales simultaneously. Hollnagel (2008) identified the sources of performance variability as:

While in the past we have tended to look for negative aspects of performance deviations or ?errors,? performance variations are now perceived as potentially positive and often essential (Hollnagel, 2004). According to Dekker (2005, p. 139):

Safety results from people being skillful at judging when and how (and when not to) adapt procedures to local circumstances. For progress on safety, organizations must monitor and understand the reasons behind the gap between procedures and practice. Additionally, organizations must develop ways that support people?s skill at judging when and how to adapt.

Thus it is the context within which the system operates that determines the extent of variability demanded. As discussed in section 3.3, an organisational system is influenced by outer and inner contexts (Waring, 1996). Key inner-context elements include organisational structure and culture. Reason (as cited by Borys, Else & Leggett, 2009, p. 20) contended that an overreliance on systems and insufficient understanding of and emphasis on workplace culture, can lead to failure because ?it is the latter that ultimately determines the success or failure of such systems.? Recent research into the reasons for success measured as low numbers of serious mishaps in some complex systems such as aircraft carriers, nuclear power stations and air-traffic control operations has focused attention on ?mindful leadership? (Hopkins, 2008). It appears that High Reliability Organisations (HRO) are characterised by ?collective mindfulness? (Weick & Sutcliff as cited in Hopkins, 2008). Collectively mindful organisations are well defended; they are better equipped ?to cope with unpleasant surprises in an optimal manner? (Reason, 2008, p. 240). Mindful leaders are constantly worried about the possibility of failure, reluctant to draw quick conclusions, and sensitive to the experience of people in the workplace and encourage them to speak up. Mindful organisations exhibit ?chronic unease? and are aware that despite normal functioning, danger lurks below the surface. They are able to detect warnings especially from weak signals and they respond strongly to them. They detect variability and respond to it appropriately (Hopkins, 2008).

However, as discussed, failures cannot be prevented by eliminating performance variability (Hollnagel, 2004). Rather, risk and safety analyses should try to elucidate the variability of normal performance and identify conditions that may lead to both positive and adverse outcomes. Borys, Else and Leggett (2009) suggested that we are entering an ?adaptive age? that:

?requires an acceptance by organisational leaders that groups of workers may, through interaction with one another and the tasks they perform together [in the context of the sociotechnical system], create their own shared meanings about what it is to work safely?.In some organisations (systems), adapting may be a pre-requisite for safe performance whilst in others it may be disastrous?[Thus] the adaptive age [is not] a ?free for all?, rather it requires a more demanding standard of attention resulting in a more subtle, nuanced and refined appreciation of how OHS is managed that embodies the capacity to be adaptive rather than rule bound.

This involves providing workers with the skills necessary for judging when adaptation is good for safety and when it could result in fatalities, injuries and disease (Borys, Else & Leggett, 2009).

The design of processes and the writing of procedures by non-operations personnel for operational implementation that requires variability and adaptability often results in a gap between work as imagined (by non-operations personnel) and work as performed (Dekker, 2006; Dekker & Suparamaniam, 2005). This is referred to as drift.4Borys, Else and Leggett (2009, p. 25) maintained that ?people at all levels of the organisation need to be able to distinguish between drift that is adaptive and improves organisational performance? and drift that exposes people to risk. The solution to drift is not to further restrict performance variability, but to monitor and detect drift toward failure (Borys, Else & Leggett, 2009). Such drift may be detected by warnings. Traditionally, ?near misses,? or process interruptions constituted warnings; however, more contemporary views suggest that there should be a focus on ?weak signals? that indicate that drift is occurring and that a strong response is required before near misses and injuries occur.

As Hollnagel (2004) suggested, ?accidents result from unexpected combinations of normal performance variability.? Because variability is an ?efficiency-thoroughness trade-off,? we cannot separate variability in actions from performance (see Hollnagel, 2009). Thus the boundary between the zone of acceptable variability and the warnings zone is, in reality, a boundary between optimal and suboptimal performance.

The avoidance of a ?drift into failure? is an appropriate goal for organisations wishing to become more ?resilient.? This may involve ?making the gap between work as imagined and work as actually performed visible because the more the gap remains hidden, the more likely it is that the organisation will drift into failure? (Borys, Else & Leggett, 2009, p. 26). According to Dekker and Suparamanian (2005), ?the larger the distance between actual work and work-as-imagined, the less likely it is that people in decision-making positions are well calibrated to the actual risks and problems facing their operation.?

In an environment where we know that variability is not only natural but necessary, conceiving safety as a reduced number of adverse events is not helpful. It will lead us to the conclusion that negative outcomes are caused by failures and we will try to eliminate failures, which are unpredictable and rare. Instead, we need to conceive safety as the ability to succeed under varying conditions, and recognise drift and act on warnings to improve organisational resilience (Hollnagel, 2008).

4 Implications for OHS practice

Thinking about systems in their wider context is an important process for OHS professionals. The design of OHS interventions needs to be considered not just in terms of a specific procedure or piece of plant (i.e. the system elements), but also how these system elements interact as part of a whole.

While a systems approach to OHS requires the OHS professional to consider the whole lifecycle of the system, some systems techniques work better at different stages of a system?s lifecycle. System Safety is a powerful approach for detecting hazards and risks associated with a proposed system at the design stage.5Controls for these risks can be documented and integrated into the operation of the system; this information can be recorded in an OHS management system. The OHSMS can also document the system of work, including safe operating procedures, and the manner in which system function is judged (e.g. which operating parameters need to be monitored to determine if the system is operating effectively and safely).

OHS professionals need to be mindful of system variability and the need to be adaptive. System evaluation involves monitoring the operating parameters, perhaps through checklists, and auditing the system elements and interactions. The results are made available to the policy makers and system designers who use this data to determine if their system is achieving what they set out to achieve. This cycle provides a governance process for organisations to show that they have safe systems of work.

The PICCOE model provides a useful framework for checking whether a system is viable; that is, whether it is able to adapt to environmental conditions and achieve its intended goal. By asking the right questions about a system, a subsystem, a work procedure or a planned OHS intervention, an OHS professional can detect whether all the system elements have been addressed and if information flows are adequate (Table 2).

Table 2: Example use of the PICCOE framework for viable systems

P

I

C

C

O

E

Policy / Planning

Intelligence /

Environmental

Scan

Control

Coordination

Operations

Evaluation

What are we going to do?

What do we need to know?

What resources and accountability are needed?

What needs to be coordinated: schedules, training, information flow, procedures, access to equipment?

Just do it.

Use the resources to accomplish the policy.

What do we need to measure or check to know if we succeed in the short term, in the longer term?

Is management committed to making this happen?

What is going on around us that may influence our outcomes?

How will we measure our success? What performance indicators should we use?

Who else needs to know; when and how?

Algedonic Signal:

What will it look like if it goes wrong?

How will we know?

Did we get the right performance outcomes?

5 Summary

Systems thinking and systems methodologies developed from the late 1940s; their application to OHS evolved from approaches based on human-machine systems and system safety.

Safe (and healthy) systems of work became a legal requirement with the implementation of Roben?s-style legislation and are enshrined in current OHS legislation in Australia. While there is lack of clarity as to what constitutes safe systems of work, they may considered to be a systematic, or logical ordered, approach to controlling all OHS risk, which would usually be documented in an OHSMS. Although OHSMSs are not a legal requirement in Australia, they are important in demonstrating that at least some of the ?reasonably practicable? steps have been taken and some degree of ?due diligence? has been applied. OHSMSs have limitations that may be due, in part, to their ?systematic? nature as opposed to a ?whole systems? approach in which the interaction of the elements as part of the whole would be the focus. Also, limitations of OHSMSs may be due to heavier emphasis on the ?technical? component of ?sociotechnical systems? than the ?socio? component (or human physical and cognitive limitations and capacities). Some aspects of these deficiencies are addressed by recent discussions of organisational culture and OHS. However, much remains to be done.

Systems thinking and the PICCOE framework of the Viable Systems Model offer OHS a way to structure systems so that the interaction of the elements is considered as part of the whole. Systems thinking highlights the ?algedonic? or warning signal, requisite variety and a recursive structure as important features of system design.

OHS professionals need to recognise that variability is inherent in the complex sociotechnical systems in which they work. Not only is human performance variable, but systems demand variability that is adaptive and purposeful as part of survival. This variability is not the same as the ?failures? and ?errors? that are seen to contribute to accidents. Such failures cannot be prevented by eliminating performance or system variability; instead, OHS processes should try to elucidate the nature of variability (or drift) and identify conditions that may lead to both positive and adverse outcomes.

This chapter has reviewed the use of systems terminology and some systematic and systems methodologies that are relevant to OHS. It advocates a broader approach to systems in OHS that is inclusive of the concept of system variability and that, consistent with the perspective advanced by Borys, Else and Leggett (2009), transcends earlier approaches without discounting them.